Govt to notify Data Protection Board, release rules of DPDP Act in a month

Minister of State for Electronics and Information Technology Rajeev Chandrasekhar chaired a consultation on Digital Personal Data Protection Act in New Delhi on September 20

The Indian government will notify the Data Protection Board (DPB) within 30 days, and is also set to release the rules of the Digital Personal Data Protection (DPDP) Act, which was passed in August, said Minister of State for Electronics and Information Technology Rajeev Chandrasekhar on August 20.

The DPB will be the nodal body responsible for enforcing the DPDP Act, and more importantly it will also be tasked for taking action against data fiduciaries in regards to non-compliance with the Act or in events of data breaches.

Chandrasekhar who was heading a consultation organised by MeitY on the DPDP Act, informed that if there are breaches under the DPDP Act, they will "get accumulated" and they will be taken up by DPB after it gets constituted.

The chairperson and members of the DPB will be appointed by the central government. The government was also recently criticised for empowering the DPB with powers to ask the central government to take down content.

Also read: Data Protection Board will not be a regulator like RBI or Sebi, says Rajeev Chandrasekhar

If the DPDP Act in its current form provides a framework for the legislation, the rule-making process will shape its contours. For instance, the Act states that the government will list a number of countries where data cannot be transferred. The rule-making processes will define on what basis a country can be "blacklisted".

Chandrasekhar said, "Over the next 30 days, we will put out the necessary rules." Chandrasekhar added the government may not prescribe all of the rules immediately, and in the next 30 days, it will take up consultations regarding the draft rules that it intends to notify.

At least 25 rules must be formulated by the government to implement the DPDP Act. A government official said that the draft rules are ready.

Also read: Govt proposes Rs 25 crore one-time expense to set up Data Protection Board, annual expenditure of Rs 10 crore

Eight rules will be put in place by the government, including one on consent management, Chandrasekhar told reporters on the sidelines of the event.

A consent manager will represent a user and will take action on their behalf when granting, managing, reviewing, or revoking consent.

It is important to note that even though the DPDP Act has been passed into a law, its provisions have still not been implemented.

In that regard, Chandrasekhar during the consultation said that three categories of data fiduciaries will get exemption from immediate implementation of the DPDP Act.

The three categories of data fiduciaries are certain government entities, which are lowest in terms of digitisation such as Panchayats and so on (Chandrasekhar clarified that "not all of government" will be exempted or will have a transition period); MSMEs that deal with citizens' data and lastly, startups.

"Unless you are exempted or given a transition period explicitly in our notification, the Act will be enforced for all data fiduciaries that are interacting with citizens' data," Chandrasekhar said.

Big Tech companies and industry bodies representing such companies have for long been demanding around a two-year transition period for complying with the law.

While speaking to reporters on the sidelines, Chandrasekhar said that the government expects transition for most of the provisions of the Act (except age-gating) within 12 months.

Chandrasekhar made it clear that the government will not wait that long to implement the law, and said that if a company requested additional time for compliance with the law then they would have to come up with a specific reason for the same.

"We would like this to be implemented as soon as possible. But we will also like this to be implemented with zero disruption," Chandrasekhar added.